The CRA is here. Now what?

A presentation at Open Source Experience in December 2024 in Paris, France by Tobie Langel

The CRA has landed. Now what? Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)

Agenda 1. CRA Fundamentals 2. CRA innovation: full supply chain compliance 3. How ORC WG steps in Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 2

CRA fundamentals The “Why” In the European Commission’s own words* “Hardware and software products are increasingly subject to successful cyberattacks, leading to an estimated global annual cost of cybercrime of €5.5 trillion by 2021.” *Source: https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 3

CRA fundamentals The “Why” In the European Commission’s own words* “From baby-monitors to smart-watches, products and software that contain a digital component are omnipresent in our daily lives. Less apparent to many users is the security risk such products and software may present.” *Source: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 4

CRA fundamentals The “Why” In the European Commission’s own words* “The Cyber Resilience Act (CRA) aims to safeguard consumers and businesses buying or using products or software with a digital component.” *Source: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 5

CRA fundamentals The “Why” In the European Commission’s own words* “The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.” *Source: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 6

CRA fundamentals The “Why” In the European Commission’s own words* “The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.” The “Who” *Source: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 7

CRA fundamentals The “Why” In the European Commission’s own words* “The Act would see inadequate security features become a thing of the past with the introduction of mandatory cybersecurity requirements for manufacturers and retailers of such products, with this protection extending throughout the product lifecycle.” The “What” *Source: https://digital-strategy.ec.europa.eu/en/policies/cyber-resilience-act Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 8

CRA fundamentals The “Who” “Manufacturers” Anyone “placing a product” on the European market. “Open Source Stewards” Essentially code-hosting foundations. For-profits can be stewards too if they’re not monetizing the project. Open source maintainers “Hobbyist” projects aren’t in scope, but any widely adopted project will be indirectly impacted. Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 9

CRA fundamentals The “What” Manufacturers Cybersecurity risk assessment. Cybersecurity requirements governing planning, design, development and maintenance across supply chain and throughout product lifecycle. Vulnerability management, reporting, and upstreaming of fixes. Etc. f o e c n e g i l i d e u Perform d ! s e i c n e d n e p e open source d Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 10

CRA fundamentals The “What” Open source stewards (light-touch regime) Cybersecurity policy. Vulnerability handling. Both Additional requirements for important and critical products. Cooperation with market surveillance authorities. Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 11

CRA fundamentals The “How” “Harmonized standards” 44(!) standards requested to the European Standards Organisations (ESOs). Provide presumption of conformity. Additional “Implementing Acts” E.g. to set up an attestation program Best practices Formalized best practices help manufacturers perform due diligence Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 12

CRA fundamentals The “When” CRA Entry into force: November 11, 2024 Vulnerability reporting: September 11, 2026 All other obligations: December 11, 2027 Harmonized standards Horizontal (type A): August 30, 2026 Vertical (type C): October 30, 2026 Horizontal (type B): October 30, 2027 Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 13

“We know how to do compliance already. How is this different?” Copyright 2024, ECLIPSE FOUNDATION WORK IS LICENSED UNDERA A CREATIVE CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)(CC BY 4.0) Copyright 2024, ECLIPSE FOUNDATION | THIS| THIS WORK IS LICENSED UNDER COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE 14

CRA innovation: full supply chain compliance Authored and procured code (24%) Open source supply chain (76%) Software stack Compliance so far CRA compliance
Source: Synopsis OSSRA Report 2023 Copyright 2024, ECLIPSE FOUNDATION WORK IS LICENSED UNDERA A CREATIVE CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)(CC BY 4.0) Copyright 2024, ECLIPSE FOUNDATION | THIS| THIS WORK IS LICENSED UNDER COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE 15

Impact of full supply chain compliance Authored and procured code Compliance is managed through internal practices and vendor agreements. Authored and procured code (24%) Open source supply chain (76%) Software stack * Source: Synopsis OSSRA Report 2023 Copyright 2024, ECLIPSE FOUNDATION WORK IS LICENSED UNDERA A CREATIVE CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)(CC BY 4.0) Copyright 2024, ECLIPSE FOUNDATION | THIS| THIS WORK IS LICENSED UNDER COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE 16

Impact of full supply chain compliance Authored and procured code (24%) Open source supply chain Compliance has to be brokered with open source community. Compliance requirements stay with manufacturers. Open source supply chain (76%) Software stack This is new!
Source: Synopsis OSSRA Report 2023 Copyright 2024, ECLIPSE FOUNDATION WORK IS LICENSED UNDERA A CREATIVE CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)(CC BY 4.0) Copyright 2024, ECLIPSE FOUNDATION | THIS| THIS WORK IS LICENSED UNDER COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE 17

Impact of full supply chain compliance Authored and procured code Compliance is managed through internal practices and vendor agreements. Authored and procured code (24%) Open source supply chain Compliance has to be brokered with open source community. Compliance requirements stay with manufacturers. Open source supply chain (76%) Software stack * Source: Synopsis OSSRA Report 2023 This is where n i s p e t s G W ORC Copyright 2024, ECLIPSE FOUNDATION WORK IS LICENSED UNDERA A CREATIVE CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0)(CC BY 4.0) Copyright 2024, ECLIPSE FOUNDATION | THIS| THIS WORK IS LICENSED UNDER COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE 18

ORC WG Neutral forum where community and industry can work out supply chain compliance together Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 19

ORC WG (draft) Mission The mission of the ORC WG is to serve as a neutral forum for the open source community, maintainers, industry, small and medium enterprise (SME), research, open source foundations and related nonprofits to come together to understand and develop a point of view on emerging regulation, inform the broader ecosystem of its impact and collect its feedback, propose solutions leading to a sustainable and thriving open source ecosystem, develop educational material to inform and help with the implementation of regulation, develop specifications that formalize best practices, and collaborate with institutions by providing inputs to regulatory processes and participating in formal standardization efforts. Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 20

ORG WG focus Education & Thought Leadership Close the knowledge gap! Technical Development Formalize best practices into specifications. Channel community and industry input to formal standardization bodies. Institutional Engagement Coordinate community and industry collaboration with the institutions. Representation The more we are, the stronger our voice is! Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 21

ORC WG Members Mission Statement Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 22

Join us! https://orcwg.org/ Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 23

Thank you! Copyright 2024, ECLIPSE FOUNDATION | THIS WORK IS LICENSED UNDER A CREATIVE COMMONS ATTRIBUTION 4.0 INTERNATIONAL LICENSE (CC BY 4.0) 24

Tobie Langel
@tobie

1 / 24

On November 20, 2024 the Cyber Resilience Act (CRA) was published in Official Journal of the European Union, starting a three year race for compliance by the global technology industry. This legislation sets new cybersecurity requirements that manufacturers and the open source projects they rely upon must meet.

In this presentation, we will provide an overview of these compliance requirements and outline how the Open Regulatory Compliance (ORC) Working Group of the Eclipse Foundation is collaborating in the open with numerous open source foundations, SMEs, and the industry to address them.